This month we added a new family of malicious IRC bots to MSRT - Win32/Slenfbot. IRC bots were all the rage a couple of years ago but have dropped off a little in recent times. In general, malware has both diversified and become more specialised, with many bad guys using custom communications protocols for backdoor control. Of course, what constitutes a drop is all relative. IRC is clearly still a popular backdoor control method.
So what's interesting about Slenfbot? Isn't it just another IRC bot? Well, yes and no.
Win32/Slenfbot has been removed from 80,158 distinct machines by MSRT so far. That's not quite up with the biggest bot families, but is still a sizeable chunk of machines. One of the interesting things about Slenfbot is the number of variants being produced. Since we first classified it as a family in October 2007, we have added 790 distinct variants. That's more than 16 variants a week, on average. Mostly the changes are minor - connecting to a different IRC server and port, using a different name for their file and registry entry - but many new features have been added in that time.
Unlike families such as Win32/Rbot, with source code being shared around and many different groups producing their own versions with different functionality, Slenfbot appears to be tightly controlled. Once a new feature goes in, all subsequent variants have that feature. The same goes for the control data they receive from the IRC channels they connect to, such as the file name to use when sending themselves via instant messenger - a few weeks ago they switched from using file names ending in .com to similar names ending in .scr, such as misfotos_014.JPEG-www.facebook.scr. The change was applied immediately to all variants. Incidentally, they have gone back to .com as of yesterday; the latest file names are things like NewestPicture0012.JPEG-www.imageshack.com and mifoto021jajaja.JPEG_www.myspace.com.
This gives us a good chance to watch the evolution of what is actually quite a simple IRC bot. Slenfbot's main function, its reason for existence, hasn't changed. It connects to an IRC server and joins a channel, at which time it immediately receives backdoor commands through the channel. It generally only gets two types of command:
- download and run something else
Slenfbot spreads via MSN Messenger/Windows Live Messenger. It puts itself inside a ZIP archive and sends that ZIP to other Messenger contacts using Messenger file transfer. Part of the reason it can be so dynamic is that everything else to do with how it spreads is provided through backdoor control and can be updated instantly. This includes not only the name of the file to give the worm itself, but also the name of the ZIP to put it in, the message to send along with it to entice the recipient to open it (usually things like "have you ever see this picture I took of myself?") and even a URL pointing to the latest version to send. It's an interesting twist that rather than just sending the URL to Messenger contacts, Slenfbot goes to the trouble of downloading the file, putting it in a ZIP and sending the file.
None of this has changed since the first variant of Slenfbot almost a year ago. So what has changed? Here are some of the features that have been added over that time:
- hiding its process from most task managers.
- injecting code into explorer's process to "lock" its file to prevent it being deleted and to relaunch it if it is terminated.
- overwriting the system's hosts file to block access to all sorts of domains, from anti-virus update sites to www.majorgeeks.com and www.virustotal.com.
- terminating processes - again, targetting anything that might help someone recognise they're infected, from AV programs to task manager.
- setting policies to disable task manager, registry tools, etc.
- spreading via removable drives.
Apart from the last, all of these features are designed just to make it harder for someone to find out they have Slenfbot on their machine and harder to remove it. Earlier I mentioned that Slenfbot's reason for existance hadn't changed. So what is it? When it comes down to it, Slenfbot is just a glorified downloader. As is so often the case, the real payload is separated so it can be updated or changed at any time. With that in mind, Slenfbot has been quite predictable, downloading variants of Win32/Tofsee and Win32/Matcash. Tofsee is used to relay spam and Matcash is known to install spyware toolbars. Sending spam and installing spyware? I guess Slenfbot is "just" another IRC bot after all.